•Integrates with the operating system of a hostcomputer and monitors program behavior in realtime for malicious action•Blocks potentially malicious actions before they have a chance toaffect the system•Blocks software in real time so it has an advantage over anti-virusdetection techniques such as fingerprinting or heuristicsLimitations•Because malicious code must run on the targetmachine before all its behaviors can be identified, itcan cause harm before it has been detected andblocked